CyberheistNews Vol 15 #43 [Heads Up] Block Attackers Who Abuse Grok to Spread Phishing Links

[Heads Up] Block Attackers Who Abuse Grok to Spread Phishing Links

Threat actors are abusing X’s generative AI bot Grok to spread phishing links, according to researchers at ESET. The attackers achieve this by tricking Grok into thinking it’s answering a question and providing a link in its answer.

“In this attack campaign, threat actors circumvent X’s ban on links in promoted posts (designed to fight malvertising) by running video card posts featuring clickbait videos,” ESET says.

“They are able to embed their malicious link in the small ‘from’ field below the video. But here’s where the interesting bit comes in: The malicious actors then ask X’s built-in GenAI bot Grok where the video is from. Grok reads the post, spots the tiny link, and amplifies it in its answer.”

The researchers found hundreds of accounts using this technique, with their posts receiving millions of impressions. Since Grok is a legitimate tool, these posts also received amplified SEO results.

While ESET’s report focuses on Grok, the researchers note that this same technique could be applied to any generative AI tool.

“There really is an unlimited number of variations on this threat,” they write. “Your number one takeaway should be never to blindly trust the output of any GenAI tool. You simply can’t assume that the LLM has not been tricked by a resourceful threat actor.

They are banking on you to do so. But as we’ve seen, malicious prompts can be hidden from view — in white text, metadata or even Unicode characters. Any GenAI that searches publicly available data to provide you with answers is also vulnerable to processing data that is “poisoned” to generate malicious content.”

Blog post with links:
https://blog.knowbe4.com/attackers-abuse-grok-to-spread-phishing-links

[Live Demo] Ridiculously Easy AI-Powered Security Awareness Training and Phishing

Phishing and social engineering remain the #1 cyber threat to your organization, with 68% of data breaches caused by human error. Your security team needs an easy way to deliver personalized training—this is precisely what our AI Defense Agents provide.

Join us for a demo showcasing KnowBe4’s leading-edge approach to human risk management with agentic AI that delivers personalized, relevant and adaptive security awareness training with minimal admin effort.

See how easy it is to train and phish your users with KnowBe4′ HRM+ platform:

• SmartRisk Agent™ – Generate actionable data and metrics to help you lower your organization’s human risk score
• Template Generator Agent – Create convincing phishing simulations, including Callback Phishing, that mimic real threats. The Recommended Landing Pages Agent then suggests appropriate landing pages based on AI-generated templates
• Automated Training Agent – Automatically identify high-risk users and assign personalized training
• Knowledge Refresher Agent and Policy Quizzes Agent – Reinforce your security program and organizational policies.
• Enhanced Executive Reports – Track user activities, visualize trends, download widgets, and improve searching/sorting to provide deeper insights and streamline collaboration

See how these powerful AI-driven features work together to dramatically reduce your organization’s risk while saving your team valuable time.

Date/Time: Wednesday, November 12 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/kmsat-demo-2?partnerref=CHN

Alert: Watch Out for Phishing Attacks in the Wake of the AWS Outage

Cybernews warns that threat actors will likely take advantage of the recent AWS outage to launch phishing attacks against affected users.

Attackers often exploit high-profile events to launch social engineering attacks. When users are stressed or confused, they’re more likely to act without thinking.

“Phishing attacks have one thing in common—they prey on human emotion, and in the case of services going down or being unable to access an account for extended periods of time, take advantage of a victim’s sense of urgency, fear, and confusion,” Cybernews says.

“With the help of AI tools, these hackers can easily create an email that appears to be sent directly from the impacted organization, complete with identical logos and structure, and often a spoofed email address or phone number that mimics the legitimate ones.”

Attackers may impersonate Amazon or tech support services offering to help users recover connectivity or receive compensation for the downtime.

“Users should be wary of emails or texts with ‘clickable links’ offering to provide outage updates, restore access to its services or app, or even offering to compensate users financially for time the service or app was down,” the researchers write. “Additionally, users should also watch out for scammers claiming to be from an app’s tech support, another tried-and-true scheme used by cybercriminals worldwide.”

Users can follow security best practices and maintain a healthy sense of suspicion to avoid falling for social engineering attacks.

“In the aftermath of a significant outage or cyber event, to avoid targeted phishing attacks, users should always be skeptical of any emails, texts, or phone calls claiming to fix the outage or restore services,” Cybernews says.

“Never click on any unsolicited links or pop-ups as these could install malware on your device for more invasive attacks, steal your personally identifiable information (PII) using a keystroke logger, or send you to a fake webpage asking the user to input their login credentials.”

Blog post with links:
https://blog.knowbe4.com/alert-watch-out-for-phishing-attacks-in-the-wake-of-the-aws-outage

Do Users Put Your Organization at Risk with Browser-Saved Passwords?

Is the popularity of password dumpers, malware that allows cybercriminals to find and “dump” passwords your users save in web browsers, putting your organization at risk?

KnowBe4’s Browser Password Inspector (BPI) is a complimentary IT security tool that allows you to analyze your organization’s risk associated with weak, reused and old passwords your users save in Chrome, Firefox and Edge web browsers.

BPI checks the passwords found in the browser against active user accounts in your Active Directory. It also uses publicly available password databases to identify weak password threats and reports on affected accounts so you can take action immediately.

With BPI you can:

• Search and identify any of your users that have browser-saved passwords across multiple machines and whether the same passwords are being used
• Quickly isolate password security vulnerabilities in the browser and easily identify weak or high-risk passwords being used to access your organization
• Better manage and strengthen your organization’s password hygiene policies and security awareness training efforts

Get your results in a few minutes!

Find Out Now:
https://info.knowbe4.com/browser-password-inspector-chn

Half of UK Young Adults Cite Deepfakes as a Top Fear

A new survey found that 50% of UK residents aged 16 to 34 cite deepfake nudes as their top worry related to AI technology, SecurityBrief reports.

The survey, published by VerifyLabs, found that 35% of Brits across all age groups said sexualized deepfakes of themselves or their children were their top concern.

“The study indicated that more than one in three respondents (36%) are also worried about the impact deepfakes could have on their family and friends,” SecurityBrief writes. “These findings point to serious emotional and psychological risks associated with the malicious use of deepfake technology, especially when it targets individuals or their loved ones.”

More than half (55%) of UK adults cited financial losses as their top fear associated with AI. Cybercriminals are increasingly using AI tools to craft extremely convincing social engineering attacks.

“Financial risks associated with deepfakes remain a prominent fear,” SecurityBrief writes. “According to the research, more than half of those surveyed (55%) cited uses for scams and fraud as their greatest concern. Almost half (47%) highlighted sophisticated business fraud, including blackmail, criminal activity, and the potential loss of life savings, as their leading worry. A further 44% are apprehensive about AI-generated content facilitating unauthorized access to personal or sensitive information.”

Additionally, SecurityBrief notes that “10% of participants are unsure what constitutes a deepfake call, demonstrating a need for greater public education on the forms and risks of audio-based deepfake scams.”

These attacks will constantly grow as more sophisticated AI tools improve. AI-powered security awareness training can enable your employees to stay ahead of evolving social engineering threats. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/half-of-young-people-in-the-uk-cite-non-consensual-deepfakes-as-a-top-fear

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-43-heads-up-block-attackers-who-abuse-grok-to-spread-phishing-links

Phishing Campaign Impersonates Password Managers

A phishing campaign is impersonating LastPass and Bitwarden with phony breach notifications, BleepingComputer reports.

“An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies were hacked, urging them to download a supposedly more secure desktop version of the password manager,” BleepingComputer writes.

“The messages direct recipients to download a binary that BleepingComputer has discovered installs Syncro, a remote monitoring and management (RMM) tool used by managed service providers (MSP) to streamline IT operations.

The threat actors are using the Syncro MSP program to deploy the ScreenConnect remote support and access software.”

BleepingComputer adds, “Once ScreenConnect is installed on a device, the threat actors can remotely connect to a target’s computer and deploy further malware payloads, steal data, and potentially access the password vaults of users through saved credentials.”

Syncro has since taken action to shut down the malicious installations. LastPass also issued an advisory on the campaign, stressing that the emails are fake and the company has not been hacked.

LastPass stated, “Please remember that no one at LastPass will ever ask for your master password. Rest assured, we are working to have this domain taken down as soon as possible and at the time of publication, Cloudflare has posted warning pages in front of the site advising visitors that these sites are phishing pages.

“Please take the appropriate precautions and, as always, if you are ever unsure whether a LastPass-branded email is legitimate, please submit it to abuse@lastpass.com.”

AI-powered security awareness training can give your employees a healthy sense of suspicion so they can recognize social engineering tactics.

BleepingComputer has the story:
https://www.bleepingcomputer.com/news/security/fake-lastpass-bitwarden-breach-alerts-lead-to-pc-hijacks/

Phishing Campaign Impersonates Google Careers Recruiters

A phishing campaign is impersonating Google Careers to target job seekers, according to researchers at Sublime Security.

“The scam is simple,” the researchers write. “An adversary sends an ‘are you open to talk?’ message impersonating an outreach email from Google Careers. If the target clicks the link, they’re taken to a landing page designed to look like a Google Careers meeting scheduler.

“From there, they’re taken to the phishing page. What makes this attack particularly interesting is that it is in active development. We have observed threat actors refining and adjusting their tactics and techniques over time, evolving to evade detection.”

The phishing pages are designed to steal users’ Google account credentials, as well as their names, email addresses, and phone numbers. Most of the phishing emails are in English, but the researchers also found samples in Spanish, Swedish, and other languages.

Sublime Security outlines the following red flags associated with this campaign:

• “Brand impersonation: These messages impersonated Google Careers, but were delivered on non-Google Careers infrastructure.
• Domain deception: Links to domain that mimics Google branding but is not a Google domain (ex: gteamcareers[.]com).
• Newly registered domain: The sender and/or links within the message use domains that were registered within the past 30 days.
• Suspicious sender domain: Misalignment between claimed sender identity (Google Careers) and actual sender domain (varied).
• Response urgency: Job offers came with vague details, but required immediate action (scheduling a call).
• Deceptive recruitment outreach: Follows typical job scam patterns with flattering language and limited specifics.”

AI-powered security awareness training can give your employees a healthy sense of suspicion so they can recognize social engineering tactics. KnowBe4 empowers your workforce to make smarter security decisions every day.

Sublime Security has the story:
https://sublime.security/blog/google-careers-impersonation-credential-phishing-scam-with-endless-variation/

What KnowBe4 Customers Say

“Hi actual Bryan (not a phishing or automated guy)! Sorry for the delayed response – we’re in the middle of a SOC2 TypeII audit so it’s chaos here. Everything KnowBe4 is going great for us, thanks! We have our monthly phishing simulation campaign up and running (getting our baseline numbers in… about to increase difficulty rating), Annual InfoSec and New-Hire Trainings all set, we’ll be chatting about additional training in 2026 (OWASP, Secure Data Handling, etc..), We’ve got Scam of the Week going, I love smart groups – and we have some of those up and running.

“So we’re really happy where we are right now, we may increase our program in 2026. Many thanks for all you do. I’m actually a contracted Security and Compliance consultant here and I’m running the KnowBe4 security program for 3 additional clients as well. They all love the product too!”

– C.M., Security and Compliance Consultant